1. Home
  2. Network Admin

Using Nmap For Port Scanning + Other Tools to Use

Nmap is a well-known utility that is bundled with many Linux distributions and that is also available for Windows and several other platforms. Essentially a scanning and mapping tool, there’s a lot that Nmap can do for you.

Today, we’re having a look as using Nmap for port scanning which, incidentally, is the tool’s primary usage. Port scanning is an essential task of network management as it ensures that no backdoors are left unaddressed. It is one of the most basic forms of securing the network.

Before we get into the how-to part of this post, we’ll sidetrack a little and first introduce Nmap and its GUI cousin Zenmap. We’ll then explain what ports are and how you need to be careful not to leave unused ports open on your devices. Then, we’ll get to the essence of this post and show you how to use Nmap for port scanning. And since there are quite a few other tools that can be viable alternatives to Nmap for port scanning—some of them much better or easier to use tools—we’ll finally review some of the very best Nmap alternatives for port scanning.

About Nmap

Nmap stands for Network Mapper. It is a scanning tool that can be used to discover hosts and services, thus building a “map” of the network, hence the name. The tool works by sending specially crafted packets to the target hosts—somewhat like ping but not necessarily using ICMP—and by analyzing the responses it gets.

Nmap’s primary use is in analyzing what services are available on a computer. It can also be used as an IP address scanner. This tool can discover hosts and their services and it can also detect their operating system and more. Using scripting, the tool can be even used for advanced service detection, vulnerability detection, and more. Overall, this is a versatile tool that can be put to good use in many situations.

Nmap, which is a free and open-source command-line tool started as a Linux-only utility but it has since been ported to many other operating systems including Windows, Solaris, HP-UX, most BSD variants including OS X, AmigaOS, and IRIX.

Nmap’s good-looking cousin: Zenmap

If you prefer to work with graphical user interfaces, Zenmap is an open-source GUI front end to Nmap. Its user interface might not be the most sophisticated but it does its job well. The tool is from the same developers as Nmap so you can expect the integration to be good. You can use it to scan all the ports on all computers connected to your network. It will then perform follow-up tests on the open ports that it has discovered. You can also perform a complete scan, scan all TCP ports, or scan all UDP ports. There’s also an intense scan that uses a stealth methodology where the tests won’t be logged by the tested devices as a connection. These can take a long time, though. Expect it to take over 90 minutes for one device.

What Is A Port Anyways?

In one sentence, ports are the network gateways into equipment. Let’s explain. Computers can do many different things at once. And several of these things may require access to the network. But typically, computers have only one physical network interface. Ports were invented to let different processes share a common network interface.

For example, thinks of a server that’s running both a web server and an FTP server, a very common combination. When a request comes in, how does the operating system know if it should send it to the web or FTP servers? Using ports. A request for the webserver will use port 80 while a request for FTP server will use port 22.

Ports are not a physical thing, they’re just numbers from 0 to 65535 that are added to the header of data packets transmitted on a network. And they are not random either. Well, actually they are sometimes. More about his later.

Ont thing that is important for all of this to work is that everyone agrees on which port to use for what. For instance, the webserver mentioned earlier expect requests to use port 80. Your web browser must then use port 80 to send the request to the webserver.

Well-known Ports

The need for agreeing on which port was solved early on by standardizing ports. The Internet Assigned Numbers Authority (IANA, the same organization that also assigns IP addresses) is responsible for maintaining the official assignments of port numbers for specific uses.

Under the IANA’s control, the first 1024 ports were officially assigned to different services. Actually, this is not completely true. Some port assignments are not officially sanctioned by the IANA. They were available and some organization started using them for their purpose–often before the IANA started controlling their assignment–and, through use, their usage stuck.

Today, many of us are familiar with several of these ports. There’s port 80 for web and 21 for FTP, as mentioned earlier. We’re also familiar with port 22 for SSH or 53 for DNS. Not all of the first 1024 ports have been assigned and some are still available but their number is shrinking.

Other Ports

Well-known ports account for the first 1024, so what about the 64512 others? Well, ports 1024 to 49151 are what we call registered ports. Those are also controlled and assigned by the IANA. Any organization can request them for their specific purpose. This is how, for example, port 1433 became the port for Microsoft SQL server or port 47001 became the port for the Windows Remote Management Service. But the Internet being what it is, several ports in that range are used for specific purposes without having been registered with the IANA.

As for ports ranging from 49152 to 65535, they are referred to as ephemeral ports. They are temporarily used by applications to differentiate streams. Think of a web server. Several clients can connect to it at the same time. If they all used port 80, it could be hard for the server to make sure it sends responses to the right requestor. So, the initial connection is done on port 80 after which the server and client “agree” on an ephemeral port number that will be used for the remainder of their exchange.

A Word Of Advice: Keep Unused Ports Closed

On a computer, ports status can either be open, closed or stealth. An open port means that the computer is actively “listening” for connection requests on that port. It is an active port. A closed port, as its name implies, won’t accept incoming connections. Instead, it will respond to any request that the port is closed. Stealth ports are somewhat different. a device trying to connect to those ports won’t even get a response.

Any port that is open is an open door to the computer. And malicious users will certainly try to exploit these open doors to gain access to the computer. For instance, let’s say you have FTP port 21 open although you are not really using FTP. A hacker could then use that open port to exploit a vulnerability of the FTP software running o the computer to inject malicious software.

And if you’re not even using FTP, chances are you might not have updated the FTP server and it could very well contain exploitable vulnerabilities. This is why it is so important to ensure that unused ports are either closed or stealth.

Protect The Ports You Use As Well

As for the post you are actually using, they are still open doors and could be used for malicious activity. This is why you need to protect the open ports. It can be done in several ways, the most basic of which is keeping your operating system and other software up to date. Most software publishers release frequent patches to address discovered vulnerabilities. Another way you can protect yourself is by using firewalls and intrusion detection and/or prevention systems.

Using Nmap For Port Scanning

Using Nmap for port scanning is super easy. If you were expecting a detailed tutorial, you’re in for a pleasant surprise. It’s just not necessary. Port scanning is Nmap’s primary function and, simply put, scanning for ports is just a matter of typing in the command followed by the IP address or hostname of the device you want to scan.

# nmap scanme.nmap.org

Starting nmap ( http://nmap.org )
nmap scan report for scanme.nmap.org (64.13.134.52)
Not shown: 994 filtered ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp closed smtp
53/tcp open domain
70/tcp closed gopher
80/tcp open http
113/tcp closed auth

nmap done: 1 IP address (1 host up) scanned in 4.99 seconds

Simple enough, no? Perhaps you need something a bit more elaborate, though. Let’s run the command once more but, this time, we’ll add a few options. -p0- specifies to scan every possible TCP port, -v specifies to be verbose about it, -A enables aggressive tests such as remote OS detection, service/version detection, and the Nmap Scripting Engine (NSE), and -T4 enables a more aggressive timing policy to speed up the scan. Here’s the result.

# nmap -p0- -v -A -T4 scanme.nmap.org

Starting nmap ( http://nmap.org )
Completed Ping Scan at 00:03, 0.01s elapsed (1 total hosts)
Scanning scanme.nmap.org (64.13.134.52) [65536 ports]
Discovered open port 22/tcp on 64.13.134.52
Discovered open port 53/tcp on 64.13.134.52
Discovered open port 80/tcp on 64.13.134.52
SYN Stealth Scan Timing: About 6.20% done; ETC: 00:11 (0:07:33 remaining)
Completed SYN Stealth Scan at 00:10, 463.55s elapsed (65536 total ports)
Completed Service scan at 00:10, 6.03s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against scanme.nmap.org (64.13.134.52)
Initiating Traceroute at 00:10
64.13.134.52: guessing hop distance at 9
Completed SCRIPT ENGINE at 00:10, 4.04s elapsed
Host scanme.nmap.org (64.13.134.52) appears to be up ... good.
Nmap scan report for scanme.nmap.org (64.13.134.52)
Not shown: 65530 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
25/tcp closed smtp
53/tcp open domain ISC BIND 9.3.4
70/tcp closed gopher
80/tcp open http Apache httpd 2.2.2 ((Fedora))
|_HTML title: Go ahead and ScanMe!
113/tcp closed auth
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.20-1 (Fedora Core 5)
Uptime guess: 2.457 days (since Thu Sep 18 13:13:24 2008)
TCP Sequence Prediction: Difficulty=204 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
[First eight hops cut for brevity]
9 10.36 metro0.sv.svcolo.com (208.185.168.173)
10 10.29 scanme.nmap.org (64.13.134.52)

Nmap done: 1 IP address (1 host up) scanned in 477.23 seconds
Raw packets sent: 131432 (5.783MB) | Rcvd: 359 (14.964KB)

Some Nmap Alternatives For Port Scanning

As good—and as simple—as Nmap is as a port scanning tools. Perhaps you’ll want to consider other options. There are lots of products out there that can scan ports. Let’s review a few of the best tools we could find. Many are free or offer a free trial so feel free to try any of them and see how that fit your needs.

1. SolarWinds Free Port Scanner (FREE DOWNLOAD)

SolarWinds is one of the major players in the networking tools field. It is also well-known for publishing quite a few very useful free tools. The SolarWinds Free Port Scanner is one of them. The software is only available for Windows and will run through a GUI or as a command-line tool.

SolarWinds Free Port Scanner Screenshot

By default, the SolarWinds Free Port Scanner will scan your network to detect all the IP address. You then select to scan on all the devices or change the range setting scan a subset of your devices. You can also specify the ports to test. By default, it will only test well-known ports but you can override this specify your own range or list of port numbers. More advanced settings will let you scan only TCP or UDP ports, do a ping check, a DNS resolution, or an OS identification test.

As a result, the software will return a list of the status of all tested devices. You can imagine that this could be a long list. Fortunately, the system will let you apply filters and, for instance, only list devices with open ports. Clicking on a device reveals port detail panel. Again, it will list all of the ports in the scan range and again, you can apply a filter and only show the ports that are open.

2. PortChecker Port Scanner

The PortChecker Port Scanner is a web-based scanner. It’s a great tool although not all ports are checked. The service will test 36 of the most important–and vulnerable–well-known ports for accessibility from the internet. It will also test if a service is running on each open port. There’s also an option to run a shorter scan that will only test 13 ports.

PortChecker Port Scanner

The tested ports include FTP data and control, TFTP, SFTP, SNMP, DHCP, DNS, HTTPS, HTTP, SMTP, POP3, POP3 SSL, IMAP SSL, SSH, and Telnet, to name just the main ones. Scan results are displayed as a table on the web page. If you need a quick and dirty test of the most common ports, the free PortChecker Port Scanner might be just the right tool for you.

3. WebToolHub Open Port Scanner

The Open Port Scanner from WebToolHub is another free online port checker. The system requires that you enter an IP address and a list of ports to check. You can only enter 10 port numbers at a time so you’ll need to run it multiple times to test more. You don’t have to enter individual port numbers, though. The system will support a range–such as 21-29–as long as it is no longer than 10. It appears to be a better tool for a quick check of specific ports than a complete vulnerability assessment tool.

WebToolHub Open Port Scanner

Once the scan completes, which is rather quickly, the results are displayed in a table format with the status of each port as well as service registered with that port. The results table can be exported to a CSV file. And while you’re on the WebToolHub site, you may want to have a look at some of the other free tools such as an IP location checker, a backlinks checker, a WHOIS lookup facility, and a Ping test.

4. IP Fingerprints Network Port Checker

IP Fingerprints is another website where you’ll find a certain number of free and useful tools, Amongst them is the Network Port Checker. To use it, you simply enter an IP address and a range of ports to check. Although the number of scanned ports is not limited, you are warned that a number of ports in excess of 500 might take a while to scan and that a large range will start a scan that may never end.

IP Fingerprints Network Port Checker

This tool claims to be able to work around firewalls. It is done by using SYN requests. A real connection is thus never opened and many firewalls will let the SYN request through. Whether it does go through the firewall or not is not totally relevant. This is still a very good test no matter what as it is a common method used by hackers.

5. Free Port Scanner

The Free Port Scanner is a Windows freeware that can be downloaded from the Major Geeks website. You can use this tool to scan ranges of ports. The number of scanned ports is not restricted so you could decide to scan all ports if you have time to kill.

Free Port Scanner

By default, the tool will want to scan your own IP address for open ports from its own default list of ports. As you’d expect, the duration of the scan is proportional to the number of ports scanned. And it is slower when testing ports on a different device. For example, testing for all ports on your router could very well take all day. Results can show open or closed ports or both. The tool has no documentation and it’s not clear what testing method is used. Also, it appears that it only tests TCP ports, not UDP.

6. Port Checker

Port Checker is not to be confused with the PortChecker Port Scanner reviewed above. It is a Windows tool that is best downloaded from Softpedia. The software has no installer. you simply download its zip file, extract the executable file and run it. The executable is small and not requiring installation means you can run it from a USB stick.

Port Checker v1.0

The tool’s user interface is plain and quite easy to use. You simply enter an IP address and select a port number from a drop-down list. The two main limitations of this tool are that you can’t scan any port, just those from the list and that it will only scan one port per run. Despite its limitations, Port Checker is a great tool when you just need to check whether a specific port is open or not.

Leave a comment